webmcp
diff libraries/json/json.c @ 152:7b5c13fdc2ec
Reject arrays that exceed INT_MAX elements in JSON library
| author | jbe | 
|---|---|
| date | Thu Jul 31 01:02:46 2014 +0200 (2014-07-31) | 
| parents | 6d2bb696f736 | 
| children | c8c91216255f | 
   line diff
1.1 --- a/libraries/json/json.c Thu Jul 31 00:44:17 2014 +0200 1.2 +++ b/libraries/json/json.c Thu Jul 31 01:02:46 2014 +0200 1.3 @@ -121,6 +121,7 @@ 1.4 luaL_Buffer luabuf; // Lua buffer to decode JSON string values 1.5 char *cbuf; // C buffer to decode JSON string values 1.6 size_t writepos; // write position of decoded strings in C buffer 1.7 + size_t arraylen; // variable to temporarily store the array length 1.8 // stack shall contain one function argument: 1.9 lua_settop(L, 1); 1.10 // push objectmt onto stack position 2: 1.11 @@ -407,8 +408,16 @@ 1.12 goto json_import_loop; 1.13 // an array value has been read: 1.14 case JSON_STATE_ARRAY_VALUE: 1.15 + // get current array length: 1.16 + arraylen = lua_rawlen(L, -3); 1.17 + // throw error if array would exceed INT_MAX elements: 1.18 + // TODO: Lua 5.3 may support more elements 1.19 + if (arraylen >= INT_MAX) { 1.20 + lua_pushnil(L); 1.21 + lua_pushfstring(L, "Array exceeded length of %d elements", INT_MAX); 1.22 + } 1.23 // store value in outer shadow table: 1.24 - lua_rawseti(L, -3, lua_rawlen(L, -3) + 1); 1.25 + lua_rawseti(L, -3, arraylen + 1); 1.26 // expect value terminator (or end of object) to follow: 1.27 mode = JSON_STATE_ARRAY_SEPARATOR; 1.28 // continue with loop 1.29 @@ -697,7 +706,7 @@ 1.30 #define json_ipairs_iterfunc_shadowtbl_idx 4 1.31 1.32 static int json_ipairs_iterfunc(lua_State *L) { 1.33 - int idx; 1.34 + lua_Integer idx; 1.35 // stack shall contain two function arguments: 1.36 lua_settop(L, 2); 1.37 // push nullmark onto stack position 3: